On Anonymity of Group Signatures - IACR

Download PDF
0 downloads 0 Views 159KB Size Report
Comment
in this paper and answer the open question positively. We point out that ... Take an ordinary ElGamal encryption [9] as an example, let (T1 = miyr,T2 = gr) be a ... lidity of a ciphertext, decrypt any one of the two ciphertext pieces and reply .... chooses b ∈R {0, 1} and generates a valid encryption of IDb using random m: (m, ρb ...
On Anonymity of Group Signatures Zhou Sujing and Lin Dongdai SKLOIS Lab,Institute of Software, Chinese Academy of Sciences, 4# South Fourth Street, Zhong Guan Cun, Beijing 100080, P.R. China [email protected], [email protected]

Abstract. A secure group signature is required to be anonymous, that is, given two group signatures generated by two different members on the same message or two group signatures generated by the same member on two different messages, they are indistinguishable except for the group manager. In this paper we prove the equivalence of a group signature’s anonymity and its indistinguishability against chosen ciphertext attacks if we view a group signature as an encryption of member identity. Particularly, we prove ACJT’s group signature is IND-CCA2 secure, so ACJT’s scheme is anonymous in the strong sense. The result is an answer to an open question in literature.

1

Introduction

Group Signatures. A group signature, which includes at least algorithms of Setup, Join, Sign, Verify, Open and Judge (defined in Section 2), is motivated by enabling members of a group to sign on behalf of the group without leaking their own identities; but the signer’s identity could be opened by the group manager, i.e., GM, on disputes. Models of Group Signatures. In formally, a secure group signature scheme satisfies traceability, unforgeabilty, coalition resistance, exculpability, anonymity and unlinkability [1]. Formal models [2–5] of secure group signatures compressed the above requirements into redefined anonymity, traceability, non-frameability. Anonymity. In [1], anonymity means similarly to IND-CPA (indistinguishable against chosen plaintext attacks, [6]), but in [2–5], it means similar to INDCCA2 (indistinguishable against chosen ciphertext attacks, Section 2). We mean anonymity in the later strong sense hereafter. An anonymous generic group signature is constructed based on any INDCCA2 public encryption scheme [3]. The question is whether an IND-CCA2 public encryption is the minimum requirement to construct an anonymous group signature. Some group signatures adopting ElGamal encryption are considered not anonymous and it is pointed out that after replacing the ElGamal encryption with a double ElGamal encryption scheme, an IND-CCA2 public encryption scheme, the group signatures will become anonymous (e.g. [4, 7]). In [8], it is further presented as an open question that whether ACJT’s scheme [1] utilizing a

2

single ElGamal encryption scheme provides anonymity. We explore this problem in this paper and answer the open question positively. We point out that the problem lies in the behavior,specifically Open, of GM or OA (decryption oracle in the case of public encryption scheme). Take an ordinary ElGamal encryption [9] as an example, let (T1 = mi y r , T2 = r g ) be a challenge, an adversary can easily change it into a new ciphertext (my s T1 , g s T2 ) and feed it to the decryption oracle, who definitely would reply with my s mi since the query is valid and different from challenge, then the adversary can resolve the challenge problem. In other word, ElGamal encryption is IND-CPA[6]. It is well known that an IND-CCA2 encryption scheme is available by double encrypting the same message under an IND-CPA encryption scheme [10]. The resulting IND-CCA2 ElGamal ciphertext consists of two independent ElGamal encryptions and a proof that the same plaintext is encrypted. The strong security of double-encryption transformed IND-CCA2 schemes comes from the difficulty of composing a valid ciphertext relating to the challenge by an computation bounded adversary, while a uncorrupted decryption oracle only decrypts queried valid ciphertexts. Nevertheless a half corrupted decryption oracle might just ignore the invalidity of a ciphertext, decrypt any one of the two ciphertext pieces and reply to adversaries. It is possible in reality, for instance, a not well designed decryption software might misuse its decryption key by decrypting whatever it has got before checking the validity of the ciphertext, throw away decryption outputs inadvertently when they are found meaningless. When ElGamal encryption is embedded in a group signature, e.g., ACJT scheme [1], the intuition is that it is difficult for an adversary to forge a new valid group signature from a challenge group signature, and the open oracle would firstly check the validity of a query before replying with the decrypted content. In anonymous group signature schemes adopting double ElGamal encryption [4, 7, 8], if GM(OA) is half corrupted, i.e., it would directly open any queried group signature no matter whether the proof included in the ciphertext is correct or not, or the whole group signature is valid or not, anonymity of the group signature scheme is hard to guarantee. So in case of half corrupted GM(OA), not all IND-CCA2 encryption will ensure anonymity of the group signatures; but for uncorrupted GM(OA) an IND-CPA secure encryption might be enough to ensure anonymity. The point is that GM(OA), i.e., the open oracle should check the validity before applying its private key instead of misusing it. Our Contribution: We prove the equivalence between anonymity of a group signatures and IND-CCA2 of it, if we view the group signature as a public key encryption of group member identities. Particularly, we prove the ACJT’s group signature is IND-CCA2 secure under the DDH assumption, so ACJT’s scheme is anonymous in the strong sense of [3]. The result is an answer to an open question proposed in [8].

3

2

Formal Definitions

Group Signature [3]. Group manager GM is separated into issuer authority IA and opener authority OA. A group signature GS is composed of the following algorithms: Setup. It includes a group key generation algorithm Gkg, and a user key generation algorithm Ukg. – Gkg: a probabilistic polynomial-time algorithm for generating the group public key gpk and IA’s secret key ik, as well as OA’s secret key ok, given security parameter 1kg ; – Ukg: a probabilistic polynomial-time run by a group member candidate to obtain a personal public and private key pair (upki , uski ), given security parameter 1k . Join. A probabilistic polynomial-time interactive protocol between IA and a member candidate with user public key upki that results in the user becoming a new group member in possession of secret signing key gski , i.e., a certificate signed by group issuer. They follow a specified relation R: R(IDi ,upki ,uski ,gski ) = 1. Set Grp = Grp ∪ {IDi }, where Grp denotes the set of valid group members, with initial value N U LL. Sign. A probabilistic polynomial-time algorithm which, on input a message M , gski ,upki ,uski ,IDi ∈ Grp, and gpk, returns a group signature σ on M . (m, σ) can also be written as (m, ρ, π), where ρ is a blinding of member identity, π is a proof of correctness of ρ. Verify. A deterministic polynomial-time algorithm which, on input a messagesignature pair (M, σ), and gpk, returns 1 (accept) or 0 (reject); a group signature (M, σ) is valid if and only if Verify(M, σ) = 1. Open. A deterministic polynomial-time algorithm that on input a messagesignature pair (M, σ), OA’s secret key ok, returns an ID, and a proof π showing its correctness in decryption. Judge. A deterministic polynomial-time algorithm that takes (M, σ, ID, π) as input, returns 1 (accept) or 0 (reject) indicating a judgement on output from Open. Anonymity [3]. A group signature scheme is anonymous if for any polynomialanon time adversary A, large enough security parameter k, AdvA is negligible: anon−1 anon−0 anon AdvA = P [ExpA (k) = 1] − P [ExpA (k) = 1], where experiments Expanon−b , b = {0, 1} are defined as in Table 1. Oracles Ch, Open, SndT oU , W Reg, U SK, CrptU are defined as: Ch: It randomly chooses b ∈ {0, 1} and generates a valid group signature σ on a given m under keys (IDu , upkb , uskb , gskb ), where b ∈R {0, 1} . Open: If input (σ, m) is not valid, it returns reject; else it open σ, outputs (ID, π). We emphasize that Open oracle is fully reliable, i.e, decrypts a group signature if and only if it is valid, in analyzing anonymity through this paper. SndT oU plays as IA in Join, i.e., generating valid certificates (secret signing keys) gsku on queries. W Reg resets any entry in registration table (storing Join

4

transcripts) to specified value. U SK returns uski , gski of specified member i. CrptU sets a corrupted member’s upki to specified value. Public Key Encryption [6]. Specify key space K, message space M and ciphertext space C, a public key encryption scheme based on them consists of the following algorithms: –Gen: a probabilistic polynomial-time algorithm that on input 1k outputs a public/secret key pair (pk, sk) ∈ K; –Enc: a probabilistic polynomial-time algorithm that on input 1k , a message m ∈ M, pk, returns a ciphertext c ∈ C; –Dec: a deterministic polynomial-time algorithm that on input 1k , a ciphertext c ∈ C, sk, returns a message m0 ∈ M or a special symbol reject. IND-CCA2 [6]. A public key encryption is indistinguishable against chosen ciphertext attacks if for any polynomial time adversary A, large enough security IN D−CCA2 IN D−CCA2 D−CCA2−1 parameter k, AdvA is negligible: AdvA = P [ExpIN A IN D−CCA2−0 IN D−CCA2−b (k) = 1] − P [ExpA (k) = 1], where experiments ExpA , b = {0, 1} are defined as in Table 1. Oracles Ch, Open, Enc are defined as: Ch: It randomly chooses b ∈ {0, 1} and generates a valid encryption c of mb on input (m0 , m1 ). Dec: On a query ciphertext c, it firstly checks its validity and returns decrypted plaintext if valid, else returns reject. Enc: It generates a ciphertext c of queried m. Expanon−b (k): D−CCA2−b A ExpIN (k): A (gpk, ik, ok) ← GKg(1k ), (pk, sk) ← Gk(1k ), d ← A(gpk,ik,Ch,Open,SndT oU , d ← A(pk, Ch, Dec, Enc), W Reg, U SK, CrptU ), return d. return d. Table 1. Definitions of Experiments.

3

Equivalence of Anonymity and IND-CCA2

Abdalla et al. constructed a public key encryption scheme from any group signature [11], and proved that if the adopted group signature is secure, i.e., fully anonymous (same as anonymous in [3]) and fully traceable [2] , their construction is an IND-CPA secure public key encryption, furthermore it is IND-CCA2 if the message space is restricted to {0, 1}, but they did not investigate the inverse direction. It is evident that an IND-CCA2 secure public key encryption alone is impossible to produce a secure group signature because of lack of non-traceability and non-frameability. Nevertheless we show the existence of an equivalence between anonymity of group signatures and IND-CCA2 of corresponding public key encryptions. An Encryption Scheme of Member Identity. Suppose there exists a group signature GS as defined in Section 2, let K = {gpk, ik, ok : (gpk, ik, ok) ← Gpk(1kg )}, M = {ID : R(ID, upku , usku , gsku ) = 1 : ∃upku ← U kg(1k ), gsku ← Join (upku , ik, gpk)} and C, the following algorithms compose a public key encryption scheme EI:

5

–Gen: i.e., Gkg, outputs pk = (gpk, ik), sk = ok; –Enc: to encrypt an ID, firstly generate upku , usku , gsku such that R(ID, upku , usku , gsku ) = 1, select a random r ∈R {0, 1}∗ , then run Sign on r, return (σ, r); –Dec: given a ciphertext (σ, r), run Open, and return an ID and a proof π. Theorem 1. If GS is anonymous, then EI is IND-CCA2 secure. Proof. Suppose A is an IND-CCA2 adversary of EI, we construct B to break anonymity of GS. B has inputs gpk, ik and accesses of oracles Ch, Open, SndT oU , W Reg, U SK, CrptU . It publishes M and corresponding (upku , usku , gsku ), for IDu ∈ M. It simulates oracles of EI as follows: Decryption Oracle EI.Dec: after getting query ciphertext (m, ρ, π), transfers to Open oracle. If it is valid, Open would return corresponding plaintext, i.e., member’s identity ID. B transfers the reply to A. Challenge Oracle EI.Ch: after getting query ID0 , ID1 ∈ M, selects m ∈R {0, 1}∗ and sends (ID0 , ID1 , m) to its oracle Ch. Ch would choose b ∈R {0, 1} and generate a group signature of m by (upkb , uskb , gskb ): (m, ρb , πb ). B may continue to answer queries to EI.Open except (m, ρb , πb ). B transfers (m, ρb , πb ) to A who is able to figure out b with probability more than 1/2. B outputs whatever A outputs. u t Theorem 2. If EI is IND-CCA2 secure, then the underlying GS is anonymous. Proof. Suppose A is a adversary against anonymity of GS, we construct B to break IND-CCA2 security of EI. B has access to oracles Ch, Dec. It simulates GS’s oracles GS.Ch, GS.Open, GS.{SndT oU, W Reg, U SK, CrptU } as follows: Open Oracle GS.Open: after getting query (m, ρ, π), transfers to its decryption oracle Dec. If it is a valid ciphertext, Dec would return the corresponding plaintext, i.e., member’s identity ID and π. B transfers the reply to A. Oracles of GS.{SndT oU, W Reg, U SK, CrptU }: since B has the private keys of issue authority, it can simulate these oracles easily. Challenge Oracle GS.Ch: after getting challenge query (ID0 , upk0 , usk0 , gsk0 ), (ID1 , upk1 , usk1 , gsk1 ) and m, B transfers them to its challenge oracle Ch, who chooses b ∈R {0, 1} and generates a valid encryption of IDb using random m: (m, ρb , πb ), i.e., a valid signature of m under (IDb , upkb , uskb , gskb ). Subsequent proof is the same as in Theorem 1. u t

4

Anonymity of ACJT’s Group Signature

ACJT’s scheme [1] dose not conform to the model of [3] (Section 2) completely, but such aspects are beyond our consideration of anonymity here. The following is a rough description of ACJT’s scheme:

6

–Setup. IA randomly chooses a safe RSA modulus n and a, a0 , g, h, specifies two integer intervals ∆, Γ . OA chooses x, sets y = g x . gpk = {n, a, a0 , y, g, h}, ik is factors of n, ok = x. –Join. User selects uski = xi ,upki = axi , where xi ∈R ∆, gets gski = (Ai , ei ), ei ∈R Γ from IA. A relation is defined R : Ai = (axi a0 )1/ei mod n. –Sign. A group signature (T1 , T2 , T3 , s1 , s2 , s3 , s4 , c) is a zero-knowledge proof of knowledge of Ai , xi , ei , and T1 , T2 is a correct encryption of Ai . –Open. OA decrypts A := T1 /T2x , and a proof of knowledge of decryption key x. –Verify&JUDGE. Verification of corresponding zero-knowledge proof. Theorem 3. ACJT’s scheme is IND-CCA2 secure encryption of M = {A ∈ QRn |∃e ∈ Γ, x ∈ ∆, Ae = ax a0 }, under DDH assumption in random oracle model. The proof is standard as in [6], and provided in Appendix. It follows that: Theorem 4. ACJT’s group signature is anonymous under DDH assumption in random oracle model.

References 1. G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, “A practical and provably secure coalition-resistant group signature scheme,” in Crypto’00, LNCS 1880, pp. 255–270, Springer-Verlag, 2000. 2. M. Bellare, D. Micciancio, and B. Warinschi, “Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions,” in Eurocrypt’03, LNCS 2656, pp. 614–629, Springer-Verlag, 2003. 3. M. Bellare, H. Shi, and C. Zhang, “Foundations of group signatures: The case of dynamic groups,” in CT-RSA’05, LNCS 3376, pp. 136–153, Springer-Verlag, 2005. 4. A. Kiayias and M. Yung, “Group signatures: Provable security, efficient constructions and anonymity from trapdoor-holders,” in http://eprint.iacr.org/2004/076/. 5. A. Kiayias and M. Yung, “Group signatures with efficient concurrent join,” in Eurocrypt’05, LNCS 3494, pp. 198–214, Springer-Verlag, 2005. 6. R. Cramer and V. Shoup, “Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack,” SIAM J. Comput., vol. 33, no. 1, pp. 167–226, 2004. 7. A. Kiayias, Y. Tsiounis, and M. Yung, “Traceable signatures,” in Eurocrypt’04, LNCS 3027, pp. 571–589, Springer, 2004. 8. L. Nguyen and R. Safavi-Naini, “Efficient and provably secure trapdoor-free group signature schemes from bilinear pairings,” in Asiacrypt’04, LNCS 3329, pp. 372– 386, Springer-Verlag, 2004. 9. T. E. Gamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” in Crypto’84, LNCS 196, pp. 10–18, Springer, 1985. 10. M. Naor and M. Yung, “Public-key cryptosystems provably secure against chosen ciphertext attacks,” in 22nd Annual ACM Symposium on the Theory of Computing, pp. 427–437, ACM Press, 1990. 11. M. Abdalla and B. Warinschi, “On the minimal assumptions of group signature schemes,” in Information and Communications Security (ICICS 2004), LNCS 3269, pp. 1–13, Springer-Verlag, 2004.

7

A

Proof of Anonymity

Theorem 5. If we view ACJT’s group signature [1] as an encryption scheme of message space M = {A ∈ QRn |∃e ∈ Γ, x ∈ ∆, Ae = ax a0 mod n}, then it is IND-CCA2 secure under the assumption that DDH is hard when factorization of n is known (in random oracle model).

Proof. Choose y = g x mod n, x ∈R [1, (p − 1)(q − 1)/4]. Game G0 : (A0 , x0 , e0 , A1 , x1 , e1 ) ← AEnc,Dec,Random (p, q, n, y, g), (m, ρb , πb ) ← Ch(A0 , x0 , e0 , A1 , x1 , e1 ), b∗ ← AEnc,Dec,Random (m, ρb , πb ), If b∗ = b return 1, else return 0. Sub-protocol Ch(A0 , x0 , e0 , A1 , x1 , e1 ): b ∈R {0, 1}, return Enc(Ab , xb , eb ). Sub-protocol Enc(A, x, e): r ∈R [1, (p − 1)(q − 1)/4], m ∈R {0, 1}∗ , ρ =def (T1 , T2 , T3 ) = (Ay r , g r , g e hr ), π = P K{(α, β, γ, δ) : a0 = T1α /aβ y γ ,T2 = g δ , 1 = T2α /g γ , T3 = g α hδ , α ∈ Γ, β ∈ ∆}{m} =(c, s1 , s2 , s3 , s4 ), γ1 λ1 c ← H(g, h, y, a0 , a, T1 , T2 , T3 ,ac0 T1s1 −c2 /(as2 −c2 y s3 ), γ1 γ 1 T2s1 −c2 /g s3 , T2c g s4 ,T3c g s1 −c2 hs4 , m). return (m, ρ, π). Sub-protocol Dec(m, ρ, π): Check validity of π by executing V (m, ρ, π). If V (m, ρ, π) = 1, parse ρ into (T1 , T2 , T3 ), return A = T1 /T2x and a proof πd = P K{x : T1 /A = T2x , y = g x }, else return reject. Random Oracle H(r): If r exists in table H, return corresponding h; Else select h ∈R {0, 1}k , store (r, h) in H and return h.

8

Sub-protocol V(m, ρ, π) Parse ρ into T1 , T2 , T3 and π into c, s1 , s2 , s3 , s4 , γ1 λ1 Let d01 := ac0 T1s1 −c2 /(as2 −c2 y s3 ) mod n, γ1 s −c2 d02 := T2 1 /g s3 mod n, d03 := T2c g s4 mod n, γ1 d04 := T3c g s1 −c2 hs4 mod n, Check table H for r = (g, h, y, a0 , a, T1 , T2 , T3 , d01 , d02 , d03 , d04 , m) and c. If (r, c) does not exist in table H, return 0; else if s1 ∈ ±{0, 1}²(γ2 +k)+1 ,s2 ∈ ±{0, 1}²(λ2 +k)+1 , s3 ∈ ±{0, 1}²(γ1 +2lp +k+1)+1 , s4 ∈ ±{0, 1}²(2lp +k)+1 , return 1. Game G1 : Same as Game G0 except sub-protocol Ch. Sub-protocol Ch(A0 , x0 , e0 , A1 , x1 , e1 ): b ∈R {0, 1}, m ∈R {0, 1}∗ , r, r0 ∈R [1, (p − 1)(q − 1)/4], 0 ρb =def (T1 , T2 , T3 ) = (Ab y r , g r , g eb hr ), Simulate a proof πb = P K{(α, β, γ, δ) : a0 = T1α /aβ y γ , T2 = g δ , 1 = T2α /g γ , T3 = g α hδ , α ∈ Γ, β ∈ ∆}{m} = (c, s1 , s2 , s3 , s4 ), c ← H(g, h, y, a0 , a, T1 , T2 , T3 , γ1 γ1 γ1 λ1 ac0 T1s1 −c2 /(as2 −c2 y s3 ), T2s1 −c2 /g s3 , T2c g s4 , T3c g s1 −c2 hs4 , m). return (m, ρb , πb ). The difference between G0 and G1 is that in G0 (g, y, T2 , T1 /Ab ) is a DDH sample, while a random sample in G1 . Game G2 : Same as Game G1 except sub-protocol Ch. Sub-protocol Ch(A0 , x0 , e0 , A1 , x1 , e1 ): b ∈R {0, 1}, m ∈R {0, 1}∗ , r, r0 , r00 ∈R [1, (p − 1)(q − 1)/4], 00 0 ρb =def (T1 , T2 , T3 ) = (Ab y r , g r , g eb hr ), Simulate a proof πb = P K{(α, β, γ, δ) : a0 = T1α /aβ y γ , T2 = g δ , 1 = T2α /g γ , T3 = g α hδ , α ∈ Γ, β ∈ ∆}{m} = (c, s1 , s2 , s3 , s4 ), c ← H(g, h, y, a0 , a, T1 , T2 , T3 , γ1 γ1 λ1 γ1 ac0 T1s1 −c2 /(as2 −c2 y s3 ), T2s1 −c2 /g s3 , T2c g s4 , T3c g s1 −c2 hs4 , m). return (m, ρb , πb ). The difference between G1 and G2 is that in G1 (y, h, T1 /Ab , T3 /g eb ) is a DDH sample, while a random sample in G2 . Denote A’s output in Game Gi as AGi , then suppose A is a successful adversary against IND-CCA2 attacks, that is ∃² > 0 which is non-negligible, so

9

that

P [AG0 = 1|b = 1] − P [AG0 = 1|b = 0] ≥ ².

Because DDH |P [AG0 = 1|b] − P [AG1 = 1|b]| ≤ AdvA , for b = 0 and 1. DDH |P [AG1 = 1|b] − P [AG2 = 1|b]| ≤ AdvA , for b = 0 and 1.

In Game G2 , every component of challenge is randomized independently, so there exists a negligible ²1 P [AG2 = 1|b = 1] − P [AG2 = 1|b = 0] < ²1 , But ² ≤ P [AG0 = 1|b = 1] − P [AG0 = 1|b = 0] = P [AG0 = 1|b = 1] − P [AG1 = 1|b = 1] +P [AG1 = 1|b = 1] − P [AG0 = 1|b = 0] +P [AG1 = 1|b = 0] − P [AG1 = 1|b = 0] DDH ≤ 2AdvA + P [AG1 = 1|b = 1] − P [AG2 = 1|b = 1] +P [AG2 = 1|b = 1] − P [AG2 = 1|b = 0] +P [AG2 = 1|b = 0] − P [AG1 = 1|b = 0] DDH ≤ 4AdvA + P [AG2 = 1|b = 1] − P [AG2 = 1|b = 0] DDH < 4AdvA + ²1 DDH Thus AdvA is non-negligible.

u t